Quiz 4 Info Security

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

What information attributes to track depends on:

- Needs of organization/risk management efforts -Management needs of information security/information technology communities

Benchmarking

- an alternative to CBA -process of seeking out and studying practices in other organizations that one's own org desires to duplicate

Defense Strategy Summary

- assigns a mitigation approach to each vulnerability - key info: defense - vulnerability list

Defense (Avoidance)

- attempts to prevent exploitation of the vulnerability - available methods: policy, education, technology, combination

Current Best Practices

- baseline and track basic defense coverages - baseline and track patch latency -password strength rater -automated platform compliance scores -email traffic analysis

Termination

- benefit of business practice not worth the potential reward - methods: evaluate alternative methods, discontinue service

Cost Benefit Analysis

- common, accepted approach for information security controls selection - evaluates value of assets to be protected compared with the expense of protection - EX: economic feasibility study

Methods for selecting risk control strategy

- cost benefit analysis - benchmarking - best practices

Acceptance

- doing nothing to protect a vulnerability and accepting the outcome of its exploitation -valid only when the particular function, service, info, or asset does not justify cost of protection

What are the three components of risk assessment?

- estimate of the likelihood of attack - estimate of the likelihood of success - estimate of the magnitude of loss

Vulnerability Matrix Summary

- identify threat-asset pairs or vulnerabilities - key info: comprehensive list of vulnerabilities

What are two measurement categories used to compare practices in benchmarking?

- metrics based measures - process based measures

Problems with Applying Benchmarking and Best Practices

- organizations don't talk to each other -no two organizations are identical -best practices are a moving target - knowing what was going on in information security in recent years through benchmarking doesn't necessarily prepare for what's next

Contractual Transfer

- risk transfer mechanism - refers to the various methods other than insurance by which a pure risk and its potential financial consequences can be transferred to another party

Risk Transfer

- stick to you knitting, transfer non-expert internal services to external expert organizations - available methods: service level objectives, insurance

When considering best practices for adoption in an organization

Does organization resemble identified target with best practice? Are resources at hand similar? Is organization in a similar threat environment?

Weighted Factor Analysis

Lists the information assets and then has a few criterion in columns - each column is given a weight that must all add up to 100 and then each asset is given a score using the weights multiplied by their score on the criterion

Risk Management

a continuous life cycle process

risk assessment is considered

a guestimation

A vulnerability exists when what two things come together?

a threat and an asset

Know yourself

identify, examine and understand the information and systems currently in place

Who is responsible for classifying their information assets?

information owners

At the end of risk identification process,

list of assets and their vulnerabilities is achieved

What asset attributes are to be included in asset identification?

name, IP address, MAC address, element type, serial number, manufacturer name, model number, software version, physical location, logical location, controlling entity

What does the ranked vulnerability worksheet look like?

one column for the asset and one column for the asset impact, one column for the vulnerability and another column for its likelihood - each asset is then given a risk-rating factor(final column)

Vulnerability Identification works best when

people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions

Asset Attributes for people

position, clearance lebel, name/number/id, special skills, supervisor

Risk Assessment Summary

process of assigning a value or risk rating to asset/threat pairs (vulnerabilities)

Risk Assessment

process of determining the extent to which given risks may impact organizational assets

Risk Identification

process of examining and documenting an organization's current information technology security situation

Risk Control Summary

process of taking carefully reasoned steps to ensure the confidentiality, integrity and availability of components in organization's information system

Information classifications must be

review periodically

Tsu's concept of "know your enemy" relates to what phase of the risk management process?

risk identification

Tsu's concept of "know yourself" relates to what phase of the risk management process?

risk identification

Residual Risk

risks that remain in information assets even after existing controls are applied

Best business practices

security efforts that provide a superior level protection of information

Vulnerability Identification

specific avenues threat agents can exploit to attack an information asset are called vulnerabilities

Risk Appetite

the degree to which orgs are willing to accept risk as trade-off to the expense of applying controls

What two values in the estimated risk are percentages?

the likelihood of attack and the likelihood of success

What deliverable is tied to the risk assessment phase?

the ranked vulnerability worksheet where the final quantity reported for each asset/threat pair is the risk rating factor

Risk Assessment evaluates

the relative risk for each vulnerability and assigns a risk rating score to each information asset

What work product results from vulnerability identification?

threat/asset matrix

What is the primary objective for the weighted factor analysis?

to provide value and prioritize assets, it provides a weighted score for each asset

Ranked Vulnerability Worksheet summary

users estimates for attack, success and loss key info: weighted vulnerability list

What deliverables are associated with risk identification?

weighted factor analysis and threat/asset matrix

Mitigation Approach includes

-Disaster Recovery Plan (DRP): restoration of operations in total-loss scenario - Business Continuity Plan (BCP): continue basic operation without given resources - Incident Response Plan (IRP): immediate actions in the event of an incident

Mitigation

-attempts to reduce impact of vulnerability exploitation through planning and preparation

Weighted Factor Analysis Summary

-value & prioritize assets -key info: weighted score for each asset

What is a threat/asset matrix?

Assets are on one axis and the threats are the other access - you mark under each asset what threats apply to it

Examples of threats with info security

Acts of human error or failure, forces of nature, technological obsolescence, hardware and software failures

Strategies available to control identifiable risks

Apply Safeguards (defense) Transfer the risk (transference) Reduce impact (mitigation) Understand consequences and accept risk (acceptance) Eliminate vulnerable asset (termination)

What two tools can be used to show that due care and due diligence are being met?

Benchmarking: meets acceptability of other industry participants or leaders Best Practices: Provide a superior level protection of information compared to industry mean

Tools for controlling Risk

CBA Benchmarking Best Practices

What deliverables are associated with risk assessment?

Ranked vulnerability worksheet

What are the three components of risk management?

Risk control, risk identification, risk assessment

Risk Control

applying controls to reduce risks to an organizations data and information systems

Questions for valuation and prioritization

cant this asset be monetized? critical to org success? essential for revenue/profitability? most expensive to replace or protect? embarrassing or cause of great liability if lost?

Most organization do not need a detailed level of

classification - typically just military and federal agencies

Asset attributes for data

classification, owner/manger, online/offline, location, data structures used, backup procedures

What deliverables are associated with risk control?

defense strategy

What are the five strategies for risk control?

defense, risk transfer, mitigation, acceptance, termination

Asset Attributes for procedures

description, storage location for reference, intended purpose, associated assets, storage location for update

During Threat Identification

determine realistic threats needing investigation and unimportant threats are set aside

What is the equation for the estimated risk?

estimated risk = A*S*M

Risk Identification Summary

formal process of examining and documenting risk present in info systems - enables identification, classification and prioritization of organization's information assets

Know the enemy

identify examine and understand threats facing the organization


Kaugnay na mga set ng pag-aaral

HESI!!!!! PRACTICE!!!! PRACTICE!!!! PRACTICE!!!!!

View Set

Chapter 9 Shi Huangdi Unites China

View Set

Chapter 7: Life Span Development

View Set

Bio Ch55, BIO 109 UNIT II Picture Questions, Chapter 53, Unit 6 Mastering Biology, AP Biology Chapters 52-54 Test, biology exam 1

View Set

Chapter 15 Exam (Mass Movements)

View Set

business logistics chapter 1 (part 2)

View Set